Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Diicot cybercrime gang expands its attack capabilities

Researchers found evidence that Diicot threat actors are expanding their capabilities with new payloads and the Cayosin Botnet. Cado researchers recently detected an interesting attack pattern linked to an emerging cybercrime group tracked as Diicot (formerly, “Mexals”) and described in analyses published by Akamai and Bitdefender. The experts discovered several payloads, some of which were not publicly known, […]

Diicon threat actor

Researchers found evidence that Diicot threat actors are expanding their capabilities with new payloads and the Cayosin Botnet.

Cado researchers recently detected an interesting attack pattern linked to an emerging cybercrime group tracked as Diicot (formerly, “Mexals”) and described in analyses published by Akamai and Bitdefender.

The experts discovered several payloads, some of which were not publicly known, that are being used as part of a new ongoing campaign. 

Evidence collected by Cado suggests the deployment of a botnet having DDoS capabilities.

The use of the name Diicot, which is also the name of a Romanian organized crime and anti-terrorism policing unit, and the presence of Romanian-language strings and log statements in the payloads suggests that the group could be based in Romania. 

The Diicot cybercrime group has traditionally been associated with cryptojacking campaigns, but Cado Labs observed the group deploying the off-the-shelf Mirai-based bot known as Cayosin. The Cayosin bot employed in the attacks observed by Cado targeted routers running the Linux-based embedded devices operating system OpenWrt

The group has distinctive TTPs such as the heavy use of the Shell Script Compiler (shc) and a custom version of the UPX packer (using a header modified with the bytes 0x59545399) to prevent unpacking via the standard command (“upx -d c”).

Diicot heavily used Discord for C2, the platform supports HTTP POST requests to a webhook URL, allowing exfiltrated data and campaign statistics to be viewed within a given channel. Cado identified four distinct channels used in this campaign.

“Diicot campaigns generally involve a long execution chain, with individual payloads and their outputs forming interdependent relationships. shc executables are typically used as loaders and prepare the system for mining via Diicot’s custom fork of XMRig, along with registering persistence.” reads the report published by Cado. “Executables written in Golang tend to be dedicated to scanning, brute-forcing and propagation, and a fork of the zmap internet scanning utility has often been observed.”

Diicon threat actor

The attack chain observed by the researchers is very long and the last stage is a Monero cryptominer.

The initial access for this campaign is via a custom SSH brute-forcing tool, named aliases.

The experts also observed the group using a set of tools including an internet scanner named Chrome which is based on Zmap, an shc executable named Update that retrieves Chrome and aliases if they don’t exist, and a shell script named History that checks whether Update is running and executes it if not.

“Diicot are an emerging threat group with a range of objectives and the technical knowledge to act on them. This campaign specifically targets SSH servers exposed to the internet with password authentication enabled. The username/password list they use is relatively limited and includes default and easily-guessed credential pairs.” concludes the report. “Cado Labs encourages readers to implement basic SSH hardening to defend against this malware family, including mandatory key-based authentication for SSH instances and implementation of firewall rules to limit SSH access to specific IPs.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Clop ransomware)